TO IMPROVE ENTERPRISE RISK MANAGEMENT, COMMUNICATE DIRECTLY WITH THE BOARD

Regulators and investors are increasingly expecting more precise and rigorous enterprise risk management (ERM) processes. Effective ERM programs ensure the visibility of new or growing risks to an organisation’s board of directors.

Board members, for their part, need to be assured that the organisation’s ERM program is sound, well-designed, comprehensive in scope, and effective at catching new risks. They must also determine that the risk assessment process works properly and that mitigation capabilities are solid.

COSO’s ERM framework executive summary states that it is imperative that the “board of directors provides important oversight to enterprise risk management and is aware of and concurs with the entity’s risk appetite”. The operative word here is “oversight”. While board members may not be in the trenches of risk management, they should actively oversee the way in which the organisation is handling the process. Members need to make it their business to know what’s going on. Still, many (if not most) boards delegate oversight of risk management to other groups, such as the audit committee.

Largely, the ability of the board or a committee to provide oversight depends on the flow of information between the board, senior leaders and risk managers and owners. Best-practice organisations understand that clearly and directly communicating risks with the board of directors is the best way to ensure effective risk management supervision.